[Rabbit-dev] strange 403 response
Romain Godefroy
rgodefroy at thalos.fr
Tue Nov 29 11:35:06 CET 2011
I found that when we have the problem, the forbidden handler is set on
the ressource handler from cache (SCC > proxy.getCacheHandlerFactory)
It could come from the combinaison of our default handler set to
forbidden and empty cache handlers configuration.
I add:
...
[CacheHandlers]
defaulthandler=rabbit.handler.BaseHandler
...
And it looks like we don't have the error any more!
We will confirm this with new tests...
Le 29/11/2011 09:41, Romain Godefroy a écrit :
> Hi,
>
> Many thanks for your help.
>
> Here is the configuration :
> ------------------------------------------------------------------
> ########## Configuration generale
> [rabbit.proxy.HttpProxy]
> listen_ip=0.0.0.0
> port=28082
> logo=http://$proxy/FileSender/public/logo_thalos.png
> serverIdentity=ocb_proxy
> StrictHTTP=false
> http_generator_factory=rabbit.proxy.StandardHttpGeneratorFactory
>
> [logging]
> access_log_level=FINEST
> access_log=logs/access_log.%g
> access_size_limit=1000 # in MB
> access_num_files=1
> error_log_level=FINEST
> error_log=logs/error_log.%g
> error_size_limit=1000 # in MB
> error_num_files=1
>
> [data_sources]
>
> [dns]
> dnsHandler=rabbit.dns.DNSSunHandler
>
> [rabbit.dns.DNSJavaHandler]
> dnscachetime=8
>
> [rabbit.io.ConnectionHandler]
> keepalivetime=30000
> usepipelining=false
>
> [rabbit.proxy.StandardHttpGeneratorFactory]
>
> [rabbit.proxy.FileTemplateHttpGeneratorFactory]
> error_pages=htdocs/error_pages
>
> [sslhandler]
> allowSSL=443
>
> ######### Activation des filtres HTTP
> [Filters]
> accessfilters=rabbit.filter.AccessFilter
> httpinfilters=rabbit.filter.HttpBaseFilter,rabbit.filter.ProxyAuth,rabbit.filter.ReplaceHeaderFilter,rabbit.filter.RevalidateFilter
>
> httpoutfilters=rabbit.filter.HttpBaseFilter
> conectfilters=
>
>
> ######### Parametrage des filtres HTTP
> [rabbit.filter.AccessFilter]
> accessfile=conf/access
>
> [rabbit.filter.HttpBaseFilter]
> remove=Connection,Proxy-Connection,Keep-Alive,Public,Transfer-Encoding,Upgrade,Proxy-Authorization,TE,Proxy-Authenticate,Trailer
>
> userfile=conf/users
> # cacher les contenus avec un cookie (les sites doivent renvoyer un
> don't cache en cas de données sensibles)
> cookieid=false
>
> [rabbit.filter.ProxyAuth]
> one_ip_only=false
> cachetime=5
> authenticator=plain
> userfile=conf/allowed
>
> [rabbit.filter.ReplaceHeaderFilter]
> # se faire passer pour un mobile
> request.User-Agent=Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en-US)
> AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.246 Mobile
> Safari/534.1+
>
> [rabbit.filter.RevalidateFilter]
> # ce qui est dans le revalidate est toujours demandé au serveur
> (vérification du cache)
> alwaysrevalidate=false
> # a regexp matching sites to re-validate
> #revalidate=freshmeat.net/$|slashdot.org/$|http://www/$|newsforge.com/$
> revalidate=
>
>
> ########## Declaration des handlers sur les content-type
> [Handlers]
> # recompresser les images en webp
> image/.*=rabbit.handler.ImageHandler*webp
> # filtrer le html
> text/html(;(charset\=.*)?)?=rabbit.handler.FilterHandler
> application/xhtml.*=rabbit.handler.FilterHandler
> text/xhtml(;(charset\=.*)?)?=rabbit.handler.FilterHandler
> # Seulement compresser ces types mimes :
> text/plain(;(charset\=.*)?)?=rabbit.handler.GZipHandler
> text/xml(;(charset\=.*)?)?=rabbit.handler.GZipHandler
> application/xml(;(charset\=.*)?)?=rabbit.handler.GZipHandler
> application/postscript(;(charset\=.*)?)?=rabbit.handler.GZipHandler
> text/css(;(charset\=.*)?)?=rabbit.handler.GZipHandler
> # politique par defaut :
> defaulthandler=rabbit.handler.ForbiddenHandler
>
> [CacheHandlers]
>
> [rabbit.cache.NCache]
> directory=cache
> # sans durée de vie, le cache expire au bout de : (en heures)
> cachetime=720
> # taille du cache en Mo
> maxsize=10000
> # temporisation du scrutateur de nettoyage du cache (en secondes)
> cleanloop=300
>
>
> ########## Parametrage des handlers sur les content-types
> # celui pour le filtre HTML
> [rabbit.handler.FilterHandler]
>
> filters=rabbit.filter.ScriptFilter,rabbit.filter.AdFilter
> #filters=rabbit.filter.AdFilter
> compress=true
> repack=true
>
> [rabbit.handler.ImageHandler*webp]
> convert=/usr/bin/gm
> convertargs=convert -quality 100 -resize "800>" -flatten $filename
> +profile "*" jpeg:$filename && /opt/webp/libwebp/cwebp -m 6 -q 10
> $filename -o $filename.c
> min_size=0
> force_converted=true
>
> [rabbit.handler.GZipHandler]
> compress=true
>
> [rabbit.handler.ForbiddenHandler]
>
>
> ########## Parametrage des filtres HTML
> #XXX RGO/GHU : liste pub ?
> # The list of evils. A regexp.
> [rabbit.filter.AdFilter]
> adlinks=[/.]((c|net|ns|surf|page|imag)?ad([svq]|fu|srv|[sz]erver|log|bannercenter|_?click|verts|finity|force|click|tech)?\d*|banner|linkexchange|acc_clickthru|action|vertising)[/.]|gen_addframe|event.ng|/m=|/ad(num|vert|name)?=|/site_id=|support.net|/redir\.|\?assoc=
>
> adreplacer=http://$proxy/FileSender/public/stop.png
> ---------------------------------------------------------------------------------
>
>
> We tried to replace defaulthandler=rabbit.handler.ForbiddenHandler
> with BaseHandler but the 403 is still there sometimes.
>
> Romain
>
> Le 28/11/2011 22:09, Robert Olofsson a écrit :
>> Hi!
>>
>> On Mon, 2011-11-28 at 17:40 +0100, Romain Godefroy wrote:
>>> For the same ressource, without any change to configuration, sometimes
>>> Rabbit return a 403, and not to all clients at the same time.
>> That sounds odd.
>> I know of only a few different reasons that rabbit start dealing out
>> 403 results.
>> 1) SSL traffic that is not allowed (by the configuration).
>> 2) BlockFilter / SQLBlockFilter
>> 3) A path for status pages when you run rabbit as a reverse proxy
>>
>> You do not say anything about what filters you have enabled so
>> it is very hard for me to diagnose it like this.
>>
>> Can you provide the configuration?
>>
>> /robo
>>
>>
>>
>
More information about the Rabbit-dev
mailing list